Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Help: explanation of secure flash?
512 views
Skip to first unread message
rhkr...@gmail.com
Jul 6, 2021, 6:40:04 PM7/6/21
to
I've seen warnings (against hacks) that say (among other things) to enable
"secure flash". I've been googling to learn more about that, but I haven't
found any good explanation.
I'm beginning to get hints that it is not so much a thing (to be enabled), but
more the (a) process to update the computer's BIOS. (e.g., "'Unable to start
a Secure flash session' error message.")
Can somebody provide either a little more explanation and / or a link to a
(reasonably simple) reference?
"secure flash". I've been googling to learn more about that, but I haven't
found any good explanation.
I'm beginning to get hints that it is not so much a thing (to be enabled), but
more the (a) process to update the computer's BIOS. (e.g., "'Unable to start
a Secure flash session' error message.")
Can somebody provide either a little more explanation and / or a link to a
(reasonably simple) reference?
Jeremy Nicoll
Jul 6, 2021, 7:10:04 PM7/6/21
to
On Tue, 6 Jul 2021, at 23:37, rhkr...@gmail.com wrote:
> I've seen warnings (against hacks) that say (among other things) to enable
> "secure flash". I've been googling to learn more about that, but I haven't
> found any good explanation.
>
> I'm beginning to get hints that it is not so much a thing (to be enabled), but
> more the (a) process to update the computer's BIOS. (e.g., "'Unable to start
> a Secure flash session' error message.")
It might be a suggestion that you use your BIOS or UEFI to disable the
> I've seen warnings (against hacks) that say (among other things) to enable
> "secure flash". I've been googling to learn more about that, but I haven't
> found any good explanation.
>
> I'm beginning to get hints that it is not so much a thing (to be enabled), but
> more the (a) process to update the computer's BIOS. (e.g., "'Unable to start
> a Secure flash session' error message.")
machine's ability to boot off a USB stick ... because that - if it's on - allows
anyone to reboot your machine with the OS and tools of their choice.
So, you go into the BIOS, find the right option(s) and disable them, then
make sure you have passwords set to control access to the BIOS if you
didn't already have them set, then save & exit.
If YOU ever need to boot from a USB stck you enter the BIOS again,
supplying its password, and turn the option back on. Don't forget
after that to disable it again.
As to what the options(s) are actually called in your machine's BIOS,
who knows? In my experience BIOS options normally have very
terse names and the "help" text is only marginally more useful. But
you should be able to google on the option name and the BIOS
supplier's name and the BIOS version to find out more.
--
Jeremy Nicoll - my opinions are my own.
Rick Thomas
Jul 6, 2021, 9:10:04 PM7/6/21
to
On Tue, Jul 6, 2021, at 5:43 PM, Rick Thomas wrote:
> On Tue, Jul 6, 2021, at 3:37 PM, rhkr...@gmail.com wrote:
> > I've seen warnings (against hacks) that say (among other things) to enable
> > "secure flash". I've been googling to learn more about that, but I haven't
> > found any good explanation.
...
> > I've seen warnings (against hacks) that say (among other things) to enable
> > "secure flash". I've been googling to learn more about that, but I haven't
> > found any good explanation.
> Use your favorite search engine to look for "self encrypted ssd"
> (without the quotes).
In particular:
https://www.crucial.com/articles/about-ssd/self-encrypting-ssd-for-data-security
Rick Thomas
Jul 6, 2021, 9:10:04 PM7/6/21
to
On Tue, Jul 6, 2021, at 3:37 PM, rhkr...@gmail.com wrote:
The advantage of this mode vs software encryption is that the encryption engine resides in the firmware of the disk so it doesn't eat up CPU or GPU cycles that should be better applied to running user apps.
Use your favorite search engine to look for "self encrypted ssd" (without the quotes).
Rick
Kevin N.
Jul 6, 2021, 11:10:04 PM7/6/21
to
> Can somebody provide either a little more explanation and / or a link to a
> (reasonably simple) reference?
https://www.embeddedcomputing.com/technology/security/network-security/secure-flash-the-cure-for-insecurity-in-connected-automotive-and-industrial-applications-part-1
> (reasonably simple) reference?
https://www.embeddedcomputing.com/technology/security/network-security/secure-flash-the-cure-for-insecurity-in-connected-automotive-and-industrial-applications-part-2
Cheers,
K.
rhkr...@gmail.com
Jul 7, 2021, 8:50:03 AM7/7/21
to
This (the link above) happens to be one of the links I did find and read / skim
-- it didn't seem applicable.
I thought it would be something applicable to secure boot or similar.
Maybe unrelated but I also came across some kind of option in my search, which
without looking for again, is something like diable <something -- BIOS?>
rollover (right word?).
I guess I'll let things sit for now, and when I install Debian (presumably
Bulleye) on my newest computer, I'll look again.
Polyna-Maude Racicot-Summerside
Jul 7, 2021, 10:10:04 AM7/7/21
to
Hi,
On 2021-07-07 8:46 a.m., rhkr...@gmail.com wrote:
> On Tuesday, July 06, 2021 10:53:52 PM Kevin N. wrote:
>>> Can somebody provide either a little more explanation and / or a link to
>>> a (reasonably simple) reference?
>>
>> https://www.embeddedcomputing.com/technology/security/network-security/secu
>> re-flash-the-cure-for-insecurity-in-connected-automotive-and-industrial-app
>> lications-part-1
>>
>> https://www.embeddedcomputing.com/technology/security/network-security/secu
>> re-flash-the-cure-for-insecurity-in-connected-automotive-and-industrial-app
>> lications-part-2
>
This was a good explanation to the original thread name.
> Thanks to all who replied!
>
> This (the link above) happens to be one of the links I did find and read / skim
> -- it didn't seem applicable.
>
> I thought it would be something applicable to secure boot or similar.
>
What you may want to use is secure boot. Your original message was
related to something different and this seem why you got the links above.
> Maybe unrelated but I also came across some kind of option in my search, which
> without looking for again, is something like diable <something -- BIOS?>
> rollover (right word?).
For sure, if you write messages using such precision as "<something --
BIOS?> " then your risk of receiving answer that are good but don<t go
into your direction are quite high.
We have thousands of word used for communicating and they grow every
day. Each domain has it's own particular word because user of those
specific word have found a need to be precisely understood.
A floppy is not a harddrive (even if some floppy used to be hard like
the 3.5). Flash can be a generic term for a type of memory but when you
are talking about embedded system or electronic, flash mostly means a
form of persistent memory than can be electronically modified (as
opposed to UV ROM that would need a UV light).
In general computing, a flash memory can means the USB stick that you use.
By reading your last message, what I get is two thing.
First : A lack of clarity
Second : You seem to want the use of secure boot so that your system is
secured from the start up.
Of third : There's also a possible option to disable BIOS flashing, that
is the possibility of a user updating the BIOS (or UEFI) that is on your
motherboard. There were some limited attack using BIOS updates.
Regarding the links some other user sent you above. Maybe the seem
irrelevant for you but instead of reading them looking for a exact
solution why don't you read them trying to understand what make a system
secure and what not.
But maybe those links are too complex (we all have stuff that is not
ready for us to digest at this moment). This is why the use of the right
word are important. If we use them interchangeably because we thing they
may fit, we don't get understood and risk understanding them the wrong way.
Good luck with your secure boot (that include some signature keys
flashed into the UEFI at the factory).
>
> I guess I'll let things sit for now, and when I install Debian (presumably
> Bulleye) on my newest computer, I'll look again.
>
Maybe reading on the subject of Secure Boot (on Debian doc is a good
start) and the general subject of hardware security in general would
help you for the next step.
You can find much information online. If you get into a link that is not
closely related to your problem, read it anyway as it will allow you to
get better understanding of other use-case.
Sincerely,
--
Polyna-Maude R.-Summerside
-Be smart, Be wise, Support opensource development
On 2021-07-07 8:46 a.m., rhkr...@gmail.com wrote:
> On Tuesday, July 06, 2021 10:53:52 PM Kevin N. wrote:
>>> Can somebody provide either a little more explanation and / or a link to
>>> a (reasonably simple) reference?
>>
>> https://www.embeddedcomputing.com/technology/security/network-security/secu
>> re-flash-the-cure-for-insecurity-in-connected-automotive-and-industrial-app
>> lications-part-1
>>
>> https://www.embeddedcomputing.com/technology/security/network-security/secu
>> re-flash-the-cure-for-insecurity-in-connected-automotive-and-industrial-app
>> lications-part-2
>
> Thanks to all who replied!
>
> This (the link above) happens to be one of the links I did find and read / skim
> -- it didn't seem applicable.
>
> I thought it would be something applicable to secure boot or similar.
>
related to something different and this seem why you got the links above.
> Maybe unrelated but I also came across some kind of option in my search, which
> without looking for again, is something like diable <something -- BIOS?>
> rollover (right word?).
BIOS?> " then your risk of receiving answer that are good but don<t go
into your direction are quite high.
We have thousands of word used for communicating and they grow every
day. Each domain has it's own particular word because user of those
specific word have found a need to be precisely understood.
A floppy is not a harddrive (even if some floppy used to be hard like
the 3.5). Flash can be a generic term for a type of memory but when you
are talking about embedded system or electronic, flash mostly means a
form of persistent memory than can be electronically modified (as
opposed to UV ROM that would need a UV light).
In general computing, a flash memory can means the USB stick that you use.
By reading your last message, what I get is two thing.
First : A lack of clarity
Second : You seem to want the use of secure boot so that your system is
secured from the start up.
Of third : There's also a possible option to disable BIOS flashing, that
is the possibility of a user updating the BIOS (or UEFI) that is on your
motherboard. There were some limited attack using BIOS updates.
Regarding the links some other user sent you above. Maybe the seem
irrelevant for you but instead of reading them looking for a exact
solution why don't you read them trying to understand what make a system
secure and what not.
But maybe those links are too complex (we all have stuff that is not
ready for us to digest at this moment). This is why the use of the right
word are important. If we use them interchangeably because we thing they
may fit, we don't get understood and risk understanding them the wrong way.
Good luck with your secure boot (that include some signature keys
flashed into the UEFI at the factory).
>
> I guess I'll let things sit for now, and when I install Debian (presumably
> Bulleye) on my newest computer, I'll look again.
>
start) and the general subject of hardware security in general would
help you for the next step.
You can find much information online. If you get into a link that is not
closely related to your problem, read it anyway as it will allow you to
get better understanding of other use-case.
Sincerely,
--
Polyna-Maude R.-Summerside
-Be smart, Be wise, Support opensource development
rhkr...@gmail.com
Jul 7, 2021, 4:10:04 PM7/7/21
to
On Tuesday, July 06, 2021 07:07:29 PM Jeremy Nicoll wrote:
> On Tue, 6 Jul 2021, at 23:37, rhkr...@gmail.com wrote:
> > I've seen warnings (against hacks) that say (among other things) to
> > enable "secure flash". I've been googling to learn more about that, but
> > I haven't found any good explanation.
> >
> > I'm beginning to get hints that it is not so much a thing (to be
> > enabled), but more the (a) process to update the computer's BIOS.
> > (e.g., "'Unable to start a Secure flash session' error message.")
>
> It might be a suggestion that you use your BIOS or UEFI to disable the
> machine's ability to boot off a USB stick ... because that - if it's on -
> allows anyone to reboot your machine with the OS and tools of their
> choice.
> On Tue, 6 Jul 2021, at 23:37, rhkr...@gmail.com wrote:
> > I've seen warnings (against hacks) that say (among other things) to
> > enable "secure flash". I've been googling to learn more about that, but
> > I haven't found any good explanation.
> >
> > I'm beginning to get hints that it is not so much a thing (to be
> > enabled), but more the (a) process to update the computer's BIOS.
> > (e.g., "'Unable to start a Secure flash session' error message.")
>
> It might be a suggestion that you use your BIOS or UEFI to disable the
> machine's ability to boot off a USB stick ... because that - if it's on -
> allows anyone to reboot your machine with the OS and tools of their
> choice.
Thanks to all who replied!
I found some more information. It seems that SecureFlash might be an American
Megatrends (AMI) thing related to SecureBoot and UEFI.
It is a apparently a means to flash a BIOS and make sure that the new image is
"secure" (for some definition of secure).
The word that I could not remember exactly was rollback (not rollover) and
"anti-rollback" is apparently intended to prevent a hacker from rolling back
the BIOS to an earlier less secure version.
The following is a link to an old (20120220) presentation on the subject, with
some quotes captured from the slides.
I don't know if Secure Flash is still a thing or has been replaced by
something else.
(Try to ignore the markup -- it is what I use in what I sometimes call my
offline TWiki.)
*
[[https://members.uefi.org/learning_center/UEFI_Plugfest_2012Q1_v3_AMI.pdf]
[Secure Firmware Update]]: "UEFI Winter Plugfest – February 20-23, 2012:
Presented by Zachary Bobroff(AMI)"
`=
Why Secure Flash Update?
•••Platform security is a broad topic...
– Many overlapping technologies (TPM, secure boot,
secure flash update, etc)
– System complexity is increasing with new
technologies (Execute Disable, virtualization, etc)
– No one specification ties all security technologies
together
Firmware modification/tinkering by the hobbyist
is becoming more commonplace
The UEFI specification completely documents all
interfaces
– Malicious software can attack the firmware
...
Connection with Secure Boot
••••Secure boot dictates that all external images
must be authenticated prior to execution
Secure boot ensures the system booted in a
trusted state
Secure boot prevents attacks targeting the
firmware to OS handoff
Secure boot does not prevent any direct attacks
on the firmware itself, and the UEFI
specification has no provisioning for firmware
protection
...
Secure Flash Demonstration
• The following will be demonstrated:
– The capsule update method using AMI ASFU (AMI
Secure Flash Update) Utility
– Anti-Rollback will be tested by trying to flash original
image
– A modified binary will be used to simulate a malicious
BIOS update
• A binary modified after signing will have an invalid
signature
='
rhkr...@gmail.com
Jul 7, 2021, 10:20:03 PM7/7/21
to
On Wednesday, July 07, 2021 08:57:30 PM Polyna-Maude Racicot-Summerside wrote:
> Are you a TikiWiki user ?
No -- TWiki / Foswiki
> Are you a TikiWiki user ?
0 new messages